BLOG: Should cloud contracts cover client responsibilities?

Thomas J. Trappler |
June 27, 2012

The main focus of a cloud computing contract is on vendor responsibilities, but it's appropriate to consider what the client remains responsible for.

When I was a guest on CIO Talk Radio earlier this month, a question came up about which client responsibilities are appropriate to include in a cloud computing contract. It's a good question, and one that I haven't really talked about here, since most of my Computerworld columns have focused on vendor responsibilities that you should codify in the contract.

So what are some client responsibilities that are reasonably addressed in a cloud computing contract? While they vary depending upon type of cloud service and use case, the most common examples involve client IT governance, including the following:

Client Access

When choosing a cloud provider, it's important to follow best practices in determining that the vendor's security practices align with your needs. But that's only one side of the security coin.

As with most things in IT, access to a cloud service typically requires a login ID and password. When a client enterprise acquires a cloud service, it should be the client's responsibility to figure out which end user should be given access. But to thoroughly address this responsibility, the client should define when access should be taken away from the user -- for example, upon separation from employment or upon a change in duties or responsibilities.

Password Security

Responsibility for the security of each individual login ID and password lies with the client's end users The recent alleged hack of Mitt Romney's email and Dropbox passwords, in which the hacker was able to easily answer "secret" security challenges and gain access, illustrates the risks. Even though there are many commonly available best practices in password security and widely publicized examples of these hacks (Romney might have done well to remember a similar hack against Sarah Palin a few years ago), human nature tends to make it difficult to maintain focus on these efforts, so diligence is necessary.

This isn't to say that cloud vendors don't retain some responsibilities related to password security. Because the cloud is a new and evolving market, vendors focused on growth can neglect security basics. For a quick primer on what not to do, read about the recent LinkedIn breach, which provided hackers with the passwords of over 6 million LinkedIn users.

Data

In an initial evaluation of a cloud service, you try to project the use case. You think about the business criticality of the function being moved to the cloud and the type of data that would be processed or stored by the cloud service. Ideally, though, once the cloud service is operational, it takes off with your end users who begin to think of all kinds of ways to use the service that may not have been factored into your initial evaluation.